FBI Seizes Anonymizing Email Service Server

Did an FBI server seizure go too far? FBI agents investigating a University of Pittsburgh bomb threat Thursday seized a server, apparently because it was being used to host an anonymous remailer service that had been used to send bomb threats. But the takedown, which was backed by a search warrant, has drawn condemnation from activist groups, who have characterized the seizure as an "attack on anonymous speech."

Service provider May First/People Link said the FBI seized the server--used by European Counter Network (ECN), an Italian service provider--because it hosts an anonymous remailer service called MixMaster, which was allegedly used to send the bomb threats. The server was also used by ECN to host numerous newsletters and several websites, all of which were knocked offline after the takedown.

McClelland said that his company, as well as Riseup and ECN, have been cooperating with the bureau on the bomb threat probe since early in the week. But Wednesday, FBI agents then seized the server used by ECN from a New York City colocation facility shared by May First/People Link and Riseup.

What might be recovered from the anonymous remailer service? According to McClelland, the service involves chains of anonymizing servers, each of which removes the header information from emails to keep the sender's identity private. In addition, the underlying software maintains no logs, meaning that--by design--there was simply no relevant data to be shared with the FBI.

Riseup, which says that it "provides online communication tools for people and groups working on liberatory social change," said that no data relating to its users, keys, or certificates, were on the seized server, and that the root file system was encrypted. It strongly condemned the seizure, which it said knocked offline more than 300 email accounts, roughly 50 to 80 email lists, and several websites.

"The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person," said Riseup spokesman Devin Theriot-Orr in a statement. "This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails."

While the bomb threats have been "horribly disruptive," Theriot-Orr further emphasized to Forbes that many people have a legitimate need to communicate anonymously. "I'd much rather live in a country with anonymous speech and a small number of bomb threats than one that has no bomb threats and no anonymity," he said, characterizing the FBI's server seizure as "an attack on all forms of anonymous communications."

The FBI Wednesday also seized a personal computer, laptop, router, cellphone, and CDs from the apartment of two people in Jackson, Penn., who are under scrutiny in the investigation, reported the Pittsburgh Post-Gazette. Seamus Johnston, 22, who shares the apartment with Katherine Anne McCloskey, 56, told the newspaper that he'd been unable to see a copy of the affidavit linking them to the crime under investigation, as the court papers remain sealed.

"Until I can look at the affidavit of probable cause and see for myself what evidence they have against us, I consider what happened simply an armed break-in," he said. "I have no idea when we'll get the stuff back and no idea why they took it."

An FBI spokesman didn't immediately respond to a request for comment about the server takedown or broader investigation.

This isn't the first time that an FBI server takedown created some collateral damage, or at least inconvenience. Last year, in an apparent scareware-related investigation, the bureau seized 62 servers from a data center in Virginia, which was apparently 59 more than they were due to seize. While extra servers were returned within 24 hours, in that case, about 160 sites were temporarily knocked offline.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

I agree with some of you and would like to add comment. I am not an expert, but I do not remember anything said in any law about a right to anonymous speech. A right to Free speech? As far as I can see if you believe in something, and are not in the moral wrong or supporting danger to others, anonymous speech is unneccisary. This country cannot prosecute you for saying what you believe, even if it is against the country, they can however prosecute you for commiting, causeing, or leading others to believe that hurting or endangering other peoples lives, property, liberty or freedoms is the right thing to do.

As far as "liberatory social change", many prominent figures over the years, and thousands of not so prominent figures have spoke out, in person for these changes. Yes, some have been crucified, by government, and or the people, for their beliefs. But it was these people that started the necessary changes. When was the last time you have heard of an anonymous person causing any change. As a people we respond to a lot of things, but anonymous letters and actions only bring most of us to the conclusion that the person or people behind them are crazy, confused, afraid of what might be really behind their motives, or just plain dismissive. In this country social change is brought about by those that are willing to stand up, show the facts, and gather the support they need. An underground action usually speaks of terrorists and guerillas.

That being said, the FBI had a warrant, or other legal preceedings behind them in order to seize the equipment. That is all there is too it. A bomb threat was made, the FBI traced a clue to the equipment, put in a request to a judge somewhere, the judge considered the validity of the warrent, and the FBI seized the equipment. Does that mean the FBI will find anything? Not necessarily, but the warrant gave them the ability to seize and attempt to find more clues. What is actually in there is irrelevent. It may cause a few upsets for others that may be doing no wrong because their services were interupted for a while, but it may also stop a group of terrorists (yes terrorists, no matter if a threat or an actual bomb, the result is still intended to cause terror, the very definition of terrorist) from communicating or changing their methods, and there is a possiblity of traceing them, or making them slip up, thereby leading to their apprehension.

This country has systems in place for exactly what happened. Sure they are not always the cleanest way to get things done. Sometimes they do not always seem right. There are checks and balances. The judge that issued the warrant for search and seizure, will be held accountable for his decision, but I can tell you that likely he made the right decision for the information he had at the time. The FBI acted in accordance with rules and regulations they had to work with, and everything was done as it should have been with the information available. The bad cops, and conspiricies you see on tv, are not as prelevent as some think they are, and part of that is due to this information age. If something is wrong, it will be found out and publicized like never before in our history. Outrage would then ensue. Law enforcement agencies everywhere do what they can to stick to the letter of the law.

So to believe in anonymous speech, is to automatically add a shodow of doubt to your cause. Stand up and say it if you have something to say, it is the only way you will be listened to. The law enforment agencies of this country are required to protect you, even if your message is completely wrong or biased, from those that would do you harm. It is not treason to talk bad about the country, a government agency, even the president, it is only illegal to threaten or otherwise harm them or anyone else. If change is needed, the people will listen and force the governments hand, that as a people is what we do.

Riseup states that their tools (their systems) are for people workingon "liberatory social change" - however, the FBI has knowledge thatleads them to believe that these systems were being used for bombthreats. I would think that the logical connection would be quiteobvious.

Nobody knows who made the threats? I certainly beg to differ fromyour assertion there. Any traffic on a network can be tracked back tothe original source - no matter how fuzzed, obscured, mangled orotherwise modified to hide the source of that transmission.

As far as calling this an attack on anonymous speech, I believe youare equating the availability of a network service with speech -speech takes on many forms, feel free to search the records of theSupreme Court for anecdotal references. Does the neutralization ofone network service equate to the destruction of all anonymous speech?

It also seems that you are equating anonymous speech with free speech,which I don't believe is exactly the case. Anonymous speech happensin lots of different places, including those locations that have alack of the right to freedom of speech that we enjoy in the UnitedStates. Logically, I fail to see how free = anonymous; however, Iwould entertain your logical proof on the matter.

Fourth Amendment rights, now we're talking something concrete. Rightto be secure from warrant-less searches and seizures, I fully agree.However, there are instances where people do waive those rights. Ifyou allow a law enforcement officer the permission to perform a search- you waive your Fourth Amendment rights. If you have a FederalFirearms License (FFL), you have waived your rights - the ATF isallowed to search your premises to ensure that you are carrying outyour business in a proper and safe manner. One would say that thishas everything to do with privacy - a right to privacy that you waiveby taking an action. To that end, wouldn't making a bomb threat beclassified as taking an action? Are there not repercussions? What isthe more primary classification for the transmission of a bomb threat- threat or free speech? Personally, and I think most would agreewith me, the primary classification would be threat and thetransmission would then be treated in a much different manner than ifit was simply a matter of speaking freely.

Anyone violating my security can be tried for treason? Really? I'dlove to see your definition for treason - here's mine, for the record,"citizen's actions to help a foreign government overthrow, make waragainst, or seriously injure the [parent nation]." Last time Ilooked, that doesn't have the first word about personal freedoms orsecurity - other than that of a citizen taking an action. Sure, Ibelieve that the argument can be made that any actor (foreign,domestic, group or individual) injure my security in the process ofcommitting a treasonous act, but for an act directed against me to beconsidered treason, I believe I would need to hold a relatively highelected office in this country. Smashing a whipped cream pie in theface of the dog catcher of Pascagoula, MS won't rise to treason, butat the same time will violate their security (on the basis ofviolating their personal space).

Yelling "fire" in a crowded theater presents a situational threat tothe occupants of the theater, whether real or perceived. Crafting anddelivering a bomb threat presents a situational threat to theoccupants of whatever location is to be bombed, whether real orperceived. There's the tape that seals this box shut - they are thesame.

Who's rights are being violated here? The users that seem to have alegitimate use for the network service that got disrupted because ofthe FBI's seizure of the servers? What right is being violated? Dothey have no other way of exercising that right than via that service?

Let me ask you this - getting blown up ruins my day, as I wouldimagine it would ruin anyone's day. Now, that said, do I not have thefreedom to have an enjoyable day? After all, aren't we, as Americans,free to enjoy life, liberty and the pursuit of happiness? If I getblown up and I lose my life - can I still have liberty and pursuehappiness? (I'm guessing the answer hinges on your belief in theafterlife). If I get blown up and have to go to the hospital, I stillhave my life and may be able to pursue happiness (depending on howcute the nurses are), but at that point I would have lost my liberty(even for a short time). Again, does freedom of speech trump theinalienable rights that Jefferson wrote about? So, at it's basestlevel - this comes down to which rights trump which other rights.Does possible preservation of life trump the right for free(anonymous) speech in the case of a bomb threat? I believe it does.

As to your red herring fallicies at the end, why not put everyone thatmakes hair dryers in prison as well? After all, don't more people diefrom electrocution (having hair dryers fall into the tub) each yearthan from bombs in the United States? Better yet, why not have theFederal Government issue isolation bubbles to all Americans. Thatway, there's no possibility of passing germs or disease from person toperson, etc. Yes, it's ludicrous - just as ludicrous as yourexamples.

Ball's in your court...

Andrew HornbackInformationWeek Contributor(and no, I don't work for the CIA)

Actually Andrew, nobody said "liberatory social change" had anything to do with bomb threats.

Because of the nature of the servers, nobody knows who made the threats. To seize the servers is an attack on not only anonymous speech- that is essential to some social changes and liberation, but an attack on your right to be secure.

For all we know, a FBI or NSA agent made those threats, simply to justify destroying people's methods of being secure, and speaking freely and securely.

Your fourth amendment right to be SECURE from warrant-less searches and seizures guarantees that nobody is allowed to do this. It's not about privacy or anonymity, it's about security. The same security that keeps you from telling a creepy old man what school your daughter goes to and what route she takes walking home. Anyone violating your security, can be tried for treason, as they are levying war on the states. Just because they to be the only ones with this protection and dominate those who view it as their right, does not give anyone the authority to violate them.

Simply because free speech doesn't protect people yelling "fire" doesn't mean that your rights can be violated just because you're a coward, afraid somebody will get away with blowing you up. Cars and bee stings and malpractice kill hundreds of thousands more people every year, so why don't you ask the FBI to jail doctors and confiscate beehives, Andrew?

So Riseup will have no problem providing clarity on what it considers the legitimate needs of their anonymized email communications and specifically the 50-80 mailing lists provided (clearly not for Spamming) and facts that substantiate their assertions (otherwise we may as well speak of scammers and slanderous use because there is no proof to the contrary). At least one verified use appears to have been the communication of a bomb threat (an illegitimate act in the country where the devices were found with jurisdictional responsibility).

Delinquency (whether a bomb threat designed to instill fear, bullying that leads to suicide, or simple slander for personal gain or to vendicate a perceived slight) could not flourish without the abilitating behavior that permits it. Freedom of speech on the internet does not mean it should be considered a safehaven for scammers, identity theft, phishing, etc. in an increasingly technology based world. They're saying they are willing to accept it to preserve a perceived right to conduct illegitimate acts, I'm saying the costs, a few which I've cited above, are not acceptable to hide irresponsible behavior.

I disagree with the previous comments somewhat. I think what the spokesperson was saying is that there is a price for free speech and anonymity on the Web, and that price is that there are always going to be some people who abuse their freedom with inappropriate behavior. I don't think the person was trying to advocate that type of behavior itself. To me, he was simply saying that he was willing to make the trade-off.Brian Prince, InformationWeek/Dark Reading Comment Moderator

Andrew caught the same section which I wished to comment on, but before that I think the FBI should have provided the authorization for search and seizure to the party being searched or their legal reps.

With regard to Riseup's statement, I have found no reference in the Bill of Rights, Constitution of the USA, or anywhere guaranteeing freedom of "anonymous" speech to those without the ..lls to intelligently and respectfully express their opinion (with regard to US territories since the article references foreign entities). The tone of the exerpt sounds very familiar to the rhetoric used by anarchists (like those in Italy) where the movement is particularly vocal and has been associated to violent acts (bombings, aggressive demonstrations, etc). The only legitimate need for anonymous communications I can think of would be in regimes where freedom of speech is non existant.

In a society, individuals have a justifiable right to feel free to express their opinion to the point that expression does not intrude or oblige someone else to hold the same opinion (unless legally bound). Yelling fire causes emotional distress and could place others in physical danger, same with bomb scares (that's why it's illegal). Anonymous rants easily infringe on slander and cause damage to the honorability of the individual or institution without allowing to accused to face their accuser (in short a rather cowardly method). And I say this as a person in favor of whistle blower legislation as long as the whistleblower uses established, legal channels with the authority to investigate and deny or verify the accusations and not as an avenue for public slander. Liberatory social change comes through individuals who are not afraid to put their face to their statements and lead others with similar thoughts, not anarchists.

"I'd much rather live in a country with anonymous speech and a small number of bomb threats than one that has no bomb threats and no anonymity,"

Uhm, excuse me, but what does making a bomb threat (or rather multiple bomb threats - some reports quote the number to be 128) have to do with "liberatory social change"? And to be quite honest, if social change is being pushed by a group that feels the need to protect those who terrorize other citizens, do we really need that kind of social change?

Freedom of Speech doesn't protect someone who yells fire in a crowded theater, why should it protect someone who is providing the facility for another party to bring terror to other people?

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.